Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-53306

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: hvc_iucv: fix off-by-one in number of supported devices<br /> <br /> MAX_HVC_IUCV_LINES == HVC_ALLOC_TTY_ADAPTERS == 8.<br /> This is the number of entries in:<br /> static struct hvc_iucv_private *hvc_iucv_table[MAX_HVC_IUCV_LINES];<br /> <br /> Sometimes hvc_iucv_table[] is limited by:<br /> (a) if (num &gt; hvc_iucv_devices) // for error detection<br /> or<br /> (b) for (i = 0; i MAX_HVC_IUCV_LINES)<br /> <br /> If hvc_iucv_devices == 8, (a) allows the code to access hvc_iucv_table[8].<br /> Oops.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53292

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind<br /> <br /> syzbot reported a kernel BUG triggered from pn_socket_sendmsg() via<br /> pn_socket_autobind():<br /> <br /> kernel BUG at net/phonet/socket.c:213!<br /> RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline]<br /> RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421<br /> Call Trace:<br /> sock_sendmsg_nosec+0x112/0x150 net/socket.c:797<br /> __sock_sendmsg net/socket.c:812 [inline]<br /> __sys_sendto+0x402/0x590 net/socket.c:2280<br /> ...<br /> <br /> pn_socket_autobind() calls pn_socket_bind() with port 0 and, on<br /> -EINVAL, assumes the socket was already bound and asserts that the<br /> port is non-zero:<br /> <br /> err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn));<br /> if (err != -EINVAL)<br /> return err;<br /> BUG_ON(!pn_port(pn_sk(sock-&gt;sk)-&gt;sobject));<br /> return 0; /* socket was already bound */<br /> <br /> However pn_socket_bind() also returns -EINVAL when sk-&gt;sk_state is not<br /> TCP_CLOSE, even when the socket has never been bound and pn_port() is<br /> still 0. In that case the BUG_ON() fires and panics the kernel from a<br /> user-triggerable path.<br /> <br /> Treat the "bind returned -EINVAL but pn_port() is still 0" case as a<br /> regular error and propagate -EINVAL to the caller instead of crashing.<br /> Existing callers already translate a non-zero return from<br /> pn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here<br /> only changes behaviour from panic to a normal errno.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53293

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG<br /> <br /> There were multiple issues in that code.<br /> <br /> First of all the order between the reset semaphore and the mm_lock was<br /> wrong (e.g. copy_to_user) was called while holding the lock.<br /> <br /> Then we allocated memory while holding the reset semaphore which is also<br /> a pretty big bug and can deadlock.<br /> <br /> Then we used down_read_trylock() instead of waiting for the reset to<br /> finish.<br /> <br /> (cherry picked from commit 361b6e6b303d4b691f6c5974d3eaab67ca6dd90e)
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53294

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mailbox: mailbox-test: don&amp;#39;t free the reused channel<br /> <br /> The RX channel can be aliased to the TX channel if it has a different<br /> MMIO. This special case needs to be handled when freeing the channels<br /> otherwise a double-free occurs.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53295

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mailbox: add sanity check for channel array<br /> <br /> Fail gracefully if there is no channel array attached to the mailbox<br /> controller. Otherwise the later dereference will cause an OOPS which<br /> might not be seen because mailbox controllers might instantiate very<br /> early. Remove the comment explaining the obvious while here.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53296

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mailbox: mailbox-test: free channels on probe error<br /> <br /> On probe error, free the previously obtained channels. This not only<br /> prevents a leak, but also UAF scenarios because the client structure<br /> will be removed nonetheless because it was allocated with devm.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53297

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mana: Guard mana_remove against double invocation<br /> <br /> If PM resume fails (e.g., mana_attach() returns an error), mana_probe()<br /> calls mana_remove(), which tears down the device and sets<br /> gd-&gt;gdma_context = NULL and gd-&gt;driver_data = NULL.<br /> <br /> However, a failed resume callback does not automatically unbind the<br /> driver. When the device is eventually unbound, mana_remove() is invoked<br /> a second time. Without a NULL check, it dereferences gc-&gt;dev with<br /> gc == NULL, causing a kernel panic.<br /> <br /> Add an early return if gdma_context or driver_data is NULL so the second<br /> invocation is harmless. Move the dev = gc-&gt;dev assignment after the<br /> guard so it cannot dereference NULL.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53285

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED<br /> <br /> [Why]<br /> dcn32_validate_bandwidth() wraps dcn32_internal_validate_bw() with<br /> DC_FP_START()/DC_FP_END(). In x86 non-RT, DC_FP_START takes fpregs_lock(),<br /> which disables local softirqs.<br /> <br /> The DML1 path through dcn32_enable_phantom_plane() calls kvzalloc() to<br /> allocate ~335 KiB for dc_plane_state. This triggers the vmalloc path,<br /> which calls BUG_ON(in_interrupt()) because it&amp;#39;s invoked within the<br /> FPU-enabled (softirq disabled) region, leading to a kernel crash.<br /> <br /> [How]<br /> Wrap the dc_state_create_phantom_plane() call with the<br /> DC_RUN_WITH_PREEMPTION_ENABLED() macro to allow preemption during<br /> this memory allocation.<br /> <br /> (cherry picked from commit 885ccbef7b94a8b38f69c4211c679021aa27ad11)
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53286

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: fix double free and use-after-free in aux device error paths<br /> <br /> When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or<br /> idpf_plug_core_aux_dev(), the err_aux_dev_add label calls<br /> auxiliary_device_uninit() and falls through to err_aux_dev_init. The<br /> uninit call will trigger put_device(), which invokes the release<br /> callback (idpf_vport_adev_release / idpf_core_adev_release) that frees<br /> iadev. The fall-through then reads adev-&gt;id from the freed iadev for<br /> ida_free() and double-frees iadev with kfree().<br /> <br /> Free the IDA slot and clear the back-pointer before uninit, while adev<br /> is still valid, then return immediately.<br /> <br /> Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization")<br /> fixed the same use-after-free in the matching unplug path in this file but<br /> missed both probe error paths.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53287

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> audit: fix incorrect inheritable capability in CAPSET records<br /> <br /> __audit_log_capset() records the effective capability set into the<br /> inheritable field due to a copy-paste error. Every CAPSET audit<br /> record therefore reports cap_pi (process inheritable) with the value<br /> of cap_effective instead of cap_inheritable.<br /> <br /> This silently corrupts audit data used for compliance and forensic<br /> analysis: an attacker who modifies inheritable capabilities to<br /> prepare for a privilege-escalating exec would have the change masked<br /> in the audit trail.<br /> <br /> The bug has been present since the original introduction of CAPSET<br /> audit records in 2008.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53288

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: Reserve an extra page for early kernel mapping<br /> <br /> The final part of [data, end) segment may overflow into the next page of<br /> init_pg_end[1] which is the gap page before early_init_stack[2]:<br /> <br /> [1]<br /> crash_arm64_v9.0.1&gt; vtop ffffffed00601000<br /> VIRTUAL PHYSICAL<br /> ffffffed00601000 83401000<br /> <br /> PAGE DIRECTORY: ffffffecffd62000<br /> PGD: ffffffecffd62da0 =&gt; 10000000833fb003<br /> PMD: ffffff80033fb018 =&gt; 10000000833fe003<br /> PTE: ffffff80033fe008 =&gt; 68000083401f03<br /> PAGE: 83401000<br /> <br /> PTE PHYSICAL FLAGS<br /> 68000083401f03 83401000 (VALID|SHARED|AF|NG|PXN|UXN)<br /> <br /> PAGE PHYSICAL MAPPING INDEX CNT FLAGS<br /> fffffffec00d0040 83401000 0 0 1 4000 reserved<br /> <br /> [2]<br /> ffffffed002c8000 (r) __pi__data<br /> ffffffed0054e000 (d) __pi___bss_start<br /> ffffffed005f5000 (b) __pi_init_pg_dir<br /> ffffffed005fe000 (b) __pi_init_pg_end<br /> ffffffed005ff000 (B) early_init_stack<br /> ffffffed00608000 (b) __pi__end<br /> <br /> For 4K pages, the early kernel mapping may use 2MB block entries but the<br /> kernel segments are only 64KB aligned. Segment boundaries that fall<br /> within a 2MB block therefore require a PTE table so that different<br /> attributes can be applied on either side of the boundary.<br /> <br /> KERNEL_SEGMENT_COUNT still correctly counts the five permanent kernel<br /> VMAs registered by declare_kernel_vmas(). However, since commit<br /> 5973a62efa34 ("arm64: map [_text, _stext) virtual address range<br /> non-executable+read-only"), the early mapper also maps [_text, _stext)<br /> separately from [_stext, _etext). This adds one more early-only split<br /> and can require one more page-table page than the existing<br /> EARLY_SEGMENT_EXTRA_PAGES allowance reserves.<br /> <br /> Increase the 4K-page early mapping allowance by one page to cover that<br /> additional split.<br /> <br /> [catalin.marinas@arm.com: rewrote part of the commit log]<br /> [catalin.marinas@arm.com: expanded the code comment]
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53289

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix NULL pointer dereference in ice_reset_all_vfs()<br /> <br /> ice_reset_all_vfs() ignores the return value of ice_vf_rebuild_vsi().<br /> When the VSI rebuild fails (e.g. during NVM firmware update via<br /> nvmupdate64e), ice_vsi_rebuild() tears down the VSI on its error path,<br /> leaving txq_map and rxq_map as NULL. The subsequent unconditional call<br /> to ice_vf_post_vsi_rebuild() leads to a NULL pointer dereference in<br /> ice_ena_vf_q_mappings() when it accesses vsi-&gt;txq_map[0].<br /> <br /> The single-VF reset path in ice_reset_vf() already handles this<br /> correctly by checking the return value of ice_vf_reconfig_vsi() and<br /> skipping ice_vf_post_vsi_rebuild() on failure.<br /> <br /> Apply the same pattern to ice_reset_all_vfs(): check the return value<br /> of ice_vf_rebuild_vsi() and skip ice_vf_post_vsi_rebuild() and<br /> ice_eswitch_attach_vf() on failure. The VF is left safely disabled<br /> (ICE_VF_STATE_INIT not set, VFGEN_RSTAT not set to VFACTIVE) and can<br /> be recovered via a VFLR triggered by a PCI reset of the VF<br /> (sysfs reset or driver rebind).<br /> <br /> Note that this patch does not prevent the VF VSI rebuild from failing<br /> during NVM update — the underlying cause is firmware being in a<br /> transitional state while the EMP reset is processed, which can cause<br /> Admin Queue commands (ice_add_vsi, ice_cfg_vsi_lan) to fail. This<br /> patch only prevents the subsequent NULL pointer dereference that<br /> crashes the kernel when the rebuild does fail.<br /> <br /> crash&gt; bt<br /> PID: 50795 TASK: ff34c9ee708dc680 CPU: 1 COMMAND: "kworker/u512:5"<br /> #0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee<br /> #1 [ff72159bcfe5bba8] __crash_kexec at ffffffffaaa15fba<br /> #2 [ff72159bcfe5bc68] crash_kexec at ffffffffaaa16540<br /> #3 [ff72159bcfe5bc70] oops_end at ffffffffaa837eda<br /> #4 [ff72159bcfe5bc90] page_fault_oops at ffffffffaa893997<br /> #5 [ff72159bcfe5bce8] exc_page_fault at ffffffffab528595<br /> #6 [ff72159bcfe5bd10] asm_exc_page_fault at ffffffffab600bb2<br /> [exception RIP: ice_ena_vf_q_mappings+0x79]<br /> RIP: ffffffffc0a85b29 RSP: ff72159bcfe5bdc8 RFLAGS: 00010206<br /> RAX: 00000000000f0000 RBX: ff34c9efc9c00000 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff34c9efc9c00000<br /> RBP: ff34c9efc27d4828 R8: 0000000000000093 R9: 0000000000000040<br /> R10: ff34c9efc27d4828 R11: 0000000000000040 R12: 0000000000100000<br /> R13: 0000000000000010 R14: R15:<br /> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018<br /> #7 [ff72159bcfe5bdf8] ice_sriov_post_vsi_rebuild at ffffffffc0a85e2e [ice]<br /> #8 [ff72159bcfe5be08] ice_reset_all_vfs at ffffffffc0a920b4 [ice]<br /> #9 [ff72159bcfe5be48] ice_service_task at ffffffffc0a31519 [ice]<br /> #10 [ff72159bcfe5be88] process_one_work at ffffffffaa93dca4<br /> #11 [ff72159bcfe5bec8] worker_thread at ffffffffaa93e9de<br /> #12 [ff72159bcfe5bf18] kthread at ffffffffaa946663<br /> #13 [ff72159bcfe5bf50] ret_from_fork at ffffffffaa8086b9<br /> <br /> The panic occurs attempting to dereference the NULL pointer in RDX at<br /> ice_sriov.c:294, which loads vsi-&gt;txq_map (offset 0x4b8 in ice_vsi).<br /> <br /> The faulting VSI is an allocated slab object but not fully initialized<br /> after a failed ice_vsi_rebuild():<br /> <br /> crash&gt; struct ice_vsi 0xff34c9efc27d4828<br /> netdev = 0x0,<br /> rx_rings = 0x0,<br /> tx_rings = 0x0,<br /> q_vectors = 0x0,<br /> txq_map = 0x0,<br /> rxq_map = 0x0,<br /> alloc_txq = 0x10,<br /> num_txq = 0x10,<br /> alloc_rxq = 0x10,<br /> num_rxq = 0x10,<br /> <br /> The nvmupdate64e process was performing NVM firmware update:<br /> <br /> crash&gt; bt 0xff34c9edd1a30000<br /> PID: 49858 TASK: ff34c9edd1a30000 CPU: 1 COMMAND: "nvmupdate64e"<br /> #0 [ff72159bcd617618] __schedule at ffffffffab5333f8<br /> #4 [ff72159bcd617750] ice_sq_send_cmd at ffffffffc0a35347 [ice]<br /> #5 [ff72159bcd6177a8] ice_sq_send_cmd_retry at ffffffffc0a35b47 [ice]<br /> #6 [ff72159bcd617810] ice_aq_send_cmd at ffffffffc0a38018 [ice]<br /> #7 [ff72159bcd617848] ice_aq_read_nvm at ffffffffc0a40254 [ice]<br /> #8 <br /> ---truncated---
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026